Hi, I have a situation that I don't see how I can achieve the connectivity:
SSG320 has a ZONE called PROVIDER which hosts a business application for us in remote data centers, we have access policy between PROVIDER and internal TRUST zone to allow only certain traffic to come into our internal network, for the sake of discussion, PROVIDER side network is 192.168.1.0/24, our interal TRUST zone side network is 10.1.0/16, now have to establish a policy-based IPsec tunnel to one of our contractors, so the contractors can access PROVIDER's network through our network, contractor side network is 172.16.1.0/24, I assume I have to configure policy-based IPsec tunnel to our contractor this way:
policy from zone PROVIDER to Untrust, source 192.168.1.0/24, destination 172.16.1.0/24, action: tunnel, tunnel:VPN-to-Contractor.
Problem is PROVIDER has no idea about 172.16.1.0/24 network, so I will have to let provider to send traffic to 10.1.16.0/24 which is a network PROVIDER knows how to route to us. When SSG320 receives such traffic, SSG320 will destination NAT the traffic to 172.16.1.0/24 and send the traffic to contractor over VPN, question: where do I configure this policy NAT? from PROVIDER to TRUST? even TRUST zone is not involved in the connection? where do I configure the policy for contractor to access 192.168.1.0? from Untrust->PROVIDER? that won't work because I will need to source NAT this traffic to one of our networks which PROVIDER knows, or should I configure policy based VPN from zone TRUST to zone Untrust?
Not sure I made myself clear, any feedback is appreciated.